From 4a656e329d93e0ceb1f27dff08230a00006f7bb0 Mon Sep 17 00:00:00 2001 From: Alex Zhuravlev Date: Sun, 24 Nov 2024 14:34:45 +0300 Subject: [PATCH] LU-18485 ptlrpc: use-after-free in batch_send_update_req if rpc in batch_send_update_req() is async, then the interpreter (freeing the head) can be called sooner than lprocfs_oh_tally_log2() (using the head): BUG: unable to handle kernel paging request at ffffa35eb3668018 PGD 100090067 P4D 100090067 PUD 100091067 PMD 14d0c0067 PTE 0 Oops: 0000 [#1] PREEMPT SMP CPU: 1 PID: 10997 Comm: ll_sa_10979 Tainted: G W O Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-1 RIP: 0010:batch_send_update_req.constprop.1.cold.4+0xb5/0x1d1 [ptlrpc] Fixes: a20f25d24b5 ("LU-14139 statahead: add stats for batch RPC requests") Signed-off-by: Alex Zhuravlev Change-Id: I65588da9a772e0109bfc133c4057b1effc0e7e5b Reviewed-on: https://review.whamcloud.com/c/fs/lustre-release/+/57116 Reviewed-by: Andreas Dilger Reviewed-by: James Simmons Reviewed-by: Oleg Drokin Tested-by: Maloo Tested-by: jenkins --- lustre/ptlrpc/batch.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/lustre/ptlrpc/batch.c b/lustre/ptlrpc/batch.c index 47bd32c..7c1d091 100644 --- a/lustre/ptlrpc/batch.c +++ b/lustre/ptlrpc/batch.c @@ -459,6 +459,9 @@ static int batch_send_update_req(const struct lu_env *env, if (!(flags & BATCH_FL_RDONLY)) ptlrpc_get_mod_rpc_slot(req); + lprocfs_oh_tally_log2(&obd->u.cli.cl_batch_rpc_hist, + head->buh_update_count); + if (flags & BATCH_FL_SYNC) { rc = ptlrpc_queue_wait(req); } else { @@ -474,8 +477,6 @@ static int batch_send_update_req(const struct lu_env *env, if (req != NULL) ptlrpc_req_put(req); - lprocfs_oh_tally_log2(&obd->u.cli.cl_batch_rpc_hist, - head->buh_update_count); RETURN(rc); } -- 1.8.3.1